Why is Kubernetes Vault ClusterIssuer reusing/reissuing revoked certificate?

Question

I have set up Vault inside kubernetes, and a ClusterIssuer that works as expected.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: vault-cluster-issuer
  namespace: cert-manager
spec:
  vault:
    path: pki/sign/my-issuer
    server: http://vault.vault.svc.cluster.local:8200
    auth:
      kubernetes:
        role: cert-manager
        mountPath: /v1/auth/kubernetes
        secretRef:
          name: issuer-token
          key: token

How to reproduce

Create ingress for test.example.com with cluster-issuer: vault-cluster-issuer. Server certificate is created as expected. Go into vault ui and revoke server certificate. Delete certificate in k8s. Cluster Issuer recreates server certificate in k8s, even though it has been revoked. Message is "Certificate is up to date and has not expired" which is... technically true. If I add the CRL to the ClusterIssuers secret (as ca.crl), it recognizes the server certificate as revoked and issues a new one using Vault.

Question: why is the revoked certificate reused in step 4 above? Isn't ClusterIssuer contacting Vault? Is vault sending the certificate even though it has been revoked? Does k8s have some cache which makes it not contact Vault and just reuse/recreate the one it had? (I have deleted the certificate from k8s).

Why is Kubernetes Vault ClusterIssuer reusing/reissuing revoked certificate?

0 Answers0